DSig Q & A

  • Article

I'm going to cover the answers to some of the questions that came in after Shelley answered the first round in her post.

Q: What will happen if I try to verify a doc signed in 2010 in office 2007/Office 2007 ?

A: I'm assuming that the person asking meant 2007/2003. Office 2007 doesn't understand XAdES extensions, and can't use it to ignore an expiration. If the certificate isn't expired or revoked, it will evaluate the signature just fine. Note – there was a requirement that all top-level Reference elements had to be to an Object element. If Office 2007 is rejecting a valid Office 2010 signature, it means you haven't applied recent updates. Go apply your security patches, which will update MSO.dll to the latest version, and the problem will be solved. There's also a QFE for it, but I don't know the number.

This also depends on the algorithms used – Office 2007 doesn't understand hashing algorithms other than SHA-1 being used in a signature, and can't yet use CNG public key algorithms.

Office 2003 (and earlier) doesn't recognize XML-DSIg signatures at all, and will see the document as unsigned. This is unfortunate, but the last service pack for Office 2003 went out a while back. We're going to try very hard to not put you into that situation again.

Q: Mihail Romanov asked: Shelly, how can i use national algorithms, e.g. GOST (national standard in Russia), for digital signatures in Office 2010?

A: This is a bit of a problem. The XML-DSig standard specifies that the algorithm has to be cited as a URI, for example, here's SHA-1:

<DigestMethod Algorithm="https://www.w3.org/2000/09/xmldsig#sha1"/>

The URI's available to us are defined in RFC 4051, and unfortunately GOST isn't one of them. The XML-DSig standard does not specify how to deal with a situation where you have an algorithm that's not listed. I've asked about this, and was told you could put anything in there, but that won't interoperate with other implementers, which isn't the best situation. I would like it if the XML-DSig committee could please clarify this – one suggestion I might make would be for the Algorithm attribute to be either an URI or an algorithm OID – the algorithm OID should be something one could interoperate with. Another suggestion would be to make a DigestMethod element with a more robust way of expressing algorithms. I would personally like to solve this problem, but I don't have a solution at the moment. It is also a bit of a problem that Windows doesn't ship an implementation of GOST, but if we could overcome the URI issue and you had a CNG plug-in for GOST hashing and public key operations, then this could be fixed.

Q: It looks like Office 2010 Beta doesn't support certificates with private keys stored in third-party CSPs on Windows 7 and Vista. Word, Excel, PowerPoint fail to sign documents with such certificates.

A: Yes, there was a bug there. We'll fix that – not sure exactly when the fix will be available. Stay tuned. If it is possible, us a CNG plug-in, which will work fine.

Q: Great to see XAdES being adopted in Office 2010. Disappointed though that looking at the signature produced the content of most of the elements of the XAdES object in the _xmlsignatures\sig1.xml were empty. Is there a beta available with the completed XAdES object?

A: The full release version will take you up to XAdES-X-L. As I noted in my last post, there's a number of the elements that we haven't done anything with yet. Implementing everything possible would be quite a bit of work. If you read the last post, which of the elements that we haven't used yet seem most useful?

Q: Will OneNote 2010 support digital signatures? OneNote would be perfect for a electronic laboratory notebook if only it supported digital signatures for intellectual property purposes.

A: Interesting suggestion. OneNote likes to update notebooks constantly, and might be a challenge to sign. To be very honest, we hadn't thought of that yet. We should look into it. Thanks for the feedback.